Code Injection Prevention
Avoid using system/exec/shell_exec if possible have to, make sure you sanitize and validate user input:

Cross Site Request Forgery - CSRF

Cross Site Request Forgery
also known as “one click attack” or “session riding” works by forces/tricks an end user to execute unwanted actions on a web application in which he/she is currently authenticated by sending through social engineering such as sending link via email/chat/etc can compromised end user data/operation and even the entire web application

Case 1: in some if not most cases, there is NO: session checking for authenticated user no validation of authorized user authorized to delete your own “POST”, but knowing the “id” sequence number anybody can delete random “POST” of a random “user”

Cross Site Request Forgery
Case 2: do things the right way, but no CSRF protection session checking for authenticated user validate as authorized user

Cross Site Request Forgery
Case 2: do things the right way, but no CSRF protection Bro check this out, Rainbow ABC

Cross Site Request Forgery
POST method will not save you ... !!!

Click for More

Cross Site Request Forgery
POST method will not save you ... !!!

Cross Site Request Forgery
POST method will not save you ... !!!

Cross Site Request Forgery
Famous CSRF attacks.... INGDirect.com
able to transfer funds out of user bank account...

YouTube.com
added video to a user’s “Favourites”, ﬂagged videos as in appropriate, etc....

File Inclusion Exploit
Local/Remote File Inclusion can lead to code execution on the web server code execution on the client side through javascript and can lead to another attacks such as XSS - Cross Site Scripting Denial of Service (DoS) Data Theft/Manipulation

File Upload
allowing a user to upload a ﬁle in a website: potentially opening a “door” for attacks/exploits without validations and protections: user can upload a server side script / shell code possibility totally pawned the server easily

File Upload
File Upload to Document root without validation malicious user can access directly uploaded ﬁle through URL putting the server totally vulnerable and open to possibility of total compromised

File Upload - Preventions
Client-Side validation? client side validation such as javascript can be edited/ disabled online on the ﬂy using browser tools: such as javascript console by using chrome inspect element, you can directly edit any part related on the ﬂy attacker can develop custom script to upload ﬁle